#CyberAware – 4 FAQs on Penetration Testing

Penetration testing is one of the best practices to ensure a company’s infrastructure is secure from bad actors trying to get their hands on confidential information. On the occasion of this year’s National Cybersecurity Awareness Month (NCSAM) – #CyberAware – we want to discuss 4 of the most frequently asked questions about penetration testing.

What is the difference between a Vulnerability Assessment and a Penetration Test?

A vulnerability assessment is aimed at identifying known vulnerabilities in an organization’s infrastructure. This is helpful for establishing whether or not the company’s security measures are working. However, one does not actually exploit the vulnerabilities identified or consider the overall security management processes.

A penetration test (or pentest), on the other hand, evaluates the security of assets by running a series of planned attacks with the goal of finding and exploiting vulnerabilities. It is intended to be much more in depth, and a specific methodology must be respected.

In other words, the vulnerability assessment is a part of the penetration testing process, but the actual exploitation is in the next phase of the penetration testing cycle. Penetration testing is a more complete process, and goes as follow:

Information Gathering

Footprinting & Scanning

Vulnerability Assessment

Exploitation

Reporting

What are the different Types of Penetration Tests?

A penetration tester, much like an experienced ethical hacker, performs deep investigations of the remote system security flaws and test for all vulnerabilities, not just the ones that may grant them root access. Penetration testing is not about getting root. Some of the most common forms of penetration tests are:

What should be included in a Penetration Test Report?

Any thorough and professional penetration testing report should provide a detailed breakdown of your findings in an easily interpreted format. It is your way of officially delivering and communicating the results of your tests with executives, IT staff, and the development team, so you have to remember to talk in a manner that non-security teams understand.

A next-level report should include the followings:

The techniques used

The vulnerabilities found

All of the exploits used

The impact&risk analysis for each vulnerability

Possible remediation plan

Hint: Targeted tips on how to effectively remediate each vulnerability are the real value for the client.

What are the Limitations of Penetration Testing?

Undertaking a series of penetration tests are useful practices that will help strengthen an organization’s security, but they have their limitations. For example: